From: Jeremy Harris Date: Mon, 29 Jun 2020 16:14:07 +0000 (+0100) Subject: Taint: fix ACL "spam" condition, to permit tainted name arguments. X-Git-Url: https://git.exim.org/users/heiko/exim.git/commitdiff_plain/62b2ccce05?hp=3d0472791a0928963a3f8184fe28479e80d1a47d Taint: fix ACL "spam" condition, to permit tainted name arguments. --- diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index b2b9a74b8..41a9629cf 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -69,6 +69,10 @@ JH/13 Fix dsearch "subdir" filter to ignore ".". Previously only ".." was JH/14 Bug 2606: Fix a segfault in sqlite lookups. When no, or a bad, filename was given for the sqlite_dbfile a trap resulted. +JH/15 Fix "spam" ACL condition. Previously, tainted values for the "name" + argument resulted in a trap. There is no reason to disallow such; this + was a coding error. + Exim version 4.94 ----------------- diff --git a/src/src/spam.c b/src/src/spam.c index 5eff1ad5c..bd34dba82 100644 --- a/src/src/spam.c +++ b/src/src/spam.c @@ -190,7 +190,6 @@ spam(const uschar **listptr) int sep = 0; const uschar *list = *listptr; uschar *user_name; -uschar user_name_buffer[128]; unsigned long mbox_size; FILE *mbox_file; client_conn_ctx spamd_cctx = {.sock = -1}; @@ -218,17 +217,14 @@ spamd_address_container * sd; result = 0; /* find the username from the option list */ -if ((user_name = string_nextinlist(&list, &sep, - user_name_buffer, - sizeof(user_name_buffer))) == NULL) +if (!(user_name = string_nextinlist(&list, &sep, NULL, 0))) { /* no username given, this means no scanning should be done */ return FAIL; } /* if username is "0" or "false", do not scan */ -if ( (Ustrcmp(user_name,"0") == 0) || - (strcmpic(user_name,US"false") == 0) ) +if (Ustrcmp(user_name, "0") == 0 || strcmpic(user_name, US"false") == 0) return FAIL; /* if there is an additional option, check if it is "true" */ @@ -237,19 +233,15 @@ if (strcmpic(list,US"true") == 0) override = 1; /* expand spamd_address if needed */ -if (*spamd_address == '$') +if (*spamd_address != '$') + spamd_address_work = spamd_address; +else if (!(spamd_address_work = expand_string(spamd_address))) { - spamd_address_work = expand_string(spamd_address); - if (spamd_address_work == NULL) - { - log_write(0, LOG_MAIN|LOG_PANIC, - "%s spamd_address starts with $, but expansion failed: %s", - loglabel, expand_string_message); - return DEFER; - } + log_write(0, LOG_MAIN|LOG_PANIC, + "%s spamd_address starts with $, but expansion failed: %s", + loglabel, expand_string_message); + return DEFER; } -else - spamd_address_work = spamd_address; DEBUG(D_acl) debug_printf_indent("spamd: addrlist '%s'\n", spamd_address_work);